← Back

ILAY - authorization for Vaadin

ILAY - Authorization for Vaadin





Published on Vaadin  Directory Stars on Vaadin Directory


Ilay is a simple-to-use authentication-framework for Vaadin. It does not incorporate frameworks like Spring-Security or Apache Shiro, but brings it's own api which is custom-tailored for the use with Vaadin. Ilay deals with navigation ( 'is the user allowed to see this view' ) and visibility ( 'should this component be visible to the user' ).


add this maven-dependency to your pom.xml



Please note that thanks to the new API's in Vaadin 10+, no bootstrapping-code is necessary.

Let's assume the case that a certain route-target is only to be accessed by users that have the role 'administrator'. Now the first step would be to define an AccessEvaluator, that determines whether or not the current user has that role or not.

class IsAdminAccessEvaluator implements AccessEvaluator {

     *  instances of this class will be created by VaadinService, 
     *  which will delegate construction to the configured 
     *  DI-provider (CDI, Spring, Guice), if one is configured.
     *  This is why @Autowired will work here, assuming
     *  the Spring-Addon for Vaadin is being used.
    Supplier<UserRole> userRoleProvider;

    public Access evaluate(Location location, Class<?> navigationTarget, Annotation annotation) {
        return UserRole.ADMIN.equals(userRoleProvider.get()) 
            ? Access.granted() 
            : Access.restricted(UserNotInRoleException.class);

Note that an Access-instance is returned, not a boolean. Access has one granted()-method and a lot of restricted()-methods, which reflect the different reroute-methods in BeforeEnterEvent, to which they eventually delegate.

Now we need to connect the IsAdminAccessEvaluator to our view, the glue for this is an annotation with a nice speaking name and an @NavigationAnnotation on it, that specifies the AccessEvaluator:

    public interface OnlyForAdmins {

OnlyForAdmins can then be used to prevent users that are not admins from entering the protected views

     public class AdminView extends Div {

And that's it. Now users without Admin-permission will be redirected to an error-view.

Some readers may have noticed that the AccessEvaluator has a generic type-parameter for the annotation it is attached to. So if we like to have additional information in there, like:

    public interface OnlyForAdmins {
        String someAdditionalInfo();

We could change IsAdminAccessEvaluator to

class IsAdminAccessEvaluator implements AccessEvaluator<OnlyForAdmins> {

    Supplier<UserRole> userRoleProvider;

    public Access evaluate(Location location, Class<?> navigationTarget, OnlyForAdmins annotation) {
        return UserRole.ADMIN.equals(userRoleProvider.get()) 
            ? Access.granted() 
            : Access.restricted(UserNotInRoleException.class);


We hope you enjoy working with ilay, if you have any suggestion, feel free to open a github-issue or PR.

Sample code

@WebServlet(urlPatterns = "/*", name = "MyUIServlet", asyncSupported = true)
@VaadinServletConfiguration(ui = IlayUI.class, productionMode = false)
    public class MyUIServlet extends VaadinServlet {
@Route(value = "messages", layout = MainLayout.class)
public class MessagesView extends FlexLayout{

public class LoggedInUsers implements AccessEvaluator {

    private UserHolder userHolder;

    public Access evaluate(Location location, Class<?> navigationTarget) {
        return userHolder.isPresent() ? Access.granted() : Access.restricted("login");


(Loading compatibility data...)

Was this helpful? Need more help?
Leave a comment or a question below. You can also join the chat on Discord or ask questions on StackOverflow.


compiled for vaadin 7, restrictData not supported

Apache License 2.0


Vaadin 7.0+
Vaadin 8.0+ in 1.0.0-alpha-1
Vaadin 7.6+ in 1.0.0-vaadin-7
Vaadin 12+ in 3.0-Final
Vaadin 11+ in 3.0-Final
Vaadin 10+ in 3.0-Final

Vaadin Add-on Directory

Find open-source widgets, add-ons, themes, and integrations for your Vaadin application. Vaadin Add-on Directory
The channel for finding, promoting, and distributing Vaadin add-ons.